1. Manuals
  2. Brands
  3. Compatible Systems Manuals
  4. Server
  5. INTRAPORT 2
  6. Administrator's manual

Compatible Systems INTRAPORT 2 Administrator's Manual

Vpn access server
Hide thumbs
Table of Contents

Advertisement

Quick Links

Download this manual
IntraPort 2 and IntraPort 2+
VPN Access Server
Administrator's Guide
Compatible Systems Corporation
4730 Walnut Street
Suite 102
Boulder, Colorado 80301
303-444-9532
800-356-0283
http://www.compatible.com

Advertisement

Table of Contents
loading

Related Manuals for Compatible Systems INTRAPORT 2

Summary of Contents for Compatible Systems INTRAPORT 2

  • Page 1 IntraPort 2 and IntraPort 2+ VPN Access Server Administrator’s Guide Compatible Systems Corporation 4730 Walnut Street Suite 102 Boulder, Colorado 80301 303-444-9532 800-356-0283 http://www.compatible.com...
  • Page 2 IntraPort 2 and IntraPort 2+ VPN Access Server Administrator’s Guide, Version 1.5 Copyright © 1999, Compatible Systems Corporation All rights reserved. IntraPort, RISC Router, MicroRouter and Compati- View are trademarks of Compatible Systems Corporation. Other trade- marks are the property of their respective holders.

  • Page 3: Table Of Contents

    ERVER Chapter 2 - Getting Started OTES Please Read the Manuals Warranty and Service Getting Help with the IntraPort 2/2+ VPN Access Server TARTED Supplied with the IntraPort 2/2+ VPN Access Server Needed for Installation Ethernet Connection Requirements VPN Client Software Requirements...
  • Page 4 Chapter 6 - Basic Configuration Guide ETUP PTIONS Diagram of Dual-Ethernet Setup Diagram of Single-Ethernet Setup ONFIGURATION SING OMPATI VPN Client Tunnel Settings LAN- ONFIGURING THE ERVER FOR ASIC ONFIGURATION SING OMMAND VPN Client Tunnel Settings LAN- ONFIGURING THE ERVER FOR Chapter 7 - Alternate Protocols and Security Parameters IPX Protocol...
  • Page 5 Console Cable Appendix C - Security Dynamics ACE/Server Information Appendix D - LED Patterns and Test Switch Settings 61 IntraPort 2/2+ VPN Access Servers LED Patterns Ethernet Back Panel Indicators LEDs Front Panel LEDs Sys Ready Power On, No Traffic...

  • Page 7: Chapter 1 - Introduction

    IntraPort 2/2+ VPN Access Server Installa- tion Overview This manual will help you install either the IntraPort 2 or the IntraPort 2+ VPN Access Server on your Local Area Network. For an overview on installing and running the VPN Client software at remote user loca- tions, refer to the VPN Client Reference Guide.
  • Page 8 Install and Configure the VPN Client software for remote users. The manual is divided into several sections that should provide you with all the information you will need to use the IntraPort 2/2+ on your network. Getting Started...
  • Page 9 Alternate Protocols and Security Parameters This part of the manual lists configuration parameters that must be set in order to use the IntraPort 2/2+ VPN Access Server with protocols other than TCP/IP, and when using additional security parameters such as SecurID and RADIUS.

  • Page 11: Chapter 2 - Getting Started

    Getting Help with the IntraPort 2/2+ VPN Access Server If you have a question about the IntraPort 2/2+ VPN Access Server and can’t find the answer in one of the manuals included with the product, please visit the technical support section of our Web site (http://www.compatible.com).

  • Page 12: What You Will Need To Get Started

    What You Will Need To Get Started Before installing the IntraPort 2/2+ VPN Access Server, please check the list below to make sure that you have received all of the items that are supplied with the server package.

  • Page 13: Ethernet Connection Requirements

    Note: Ethernet cables and cable connectors are not supplied with the IntraPort 2/2+ product. Please contact your reseller or your Com- patible Systems representative for information on obtaining the correct Ethernet cabling supplies.

  • Page 15: Chapter 3 - Network Installation

    Chapter 3 - Network Installation Figure 1. IntraPort 2/2+ VPN Access Server Back Panel This section of the manual describes how to connect the IntraPort 2/2+ VPN Access Server to your Ethernet network. In summary, the steps for installation are: Make sure the server is powered down and not connected to any power source.

  • Page 16: Connecting A Management Console

    If you wish to connect an out-of-band management console, use the supplied cable and connect to the Console interface on the back of the IntraPort 2/2+. You can use a dumb terminal or a computer equipped with VT100 terminal emulation.

  • Page 17: Chapter 4 - Compatiview Software Installation

    CompatiView. CompatiView is included on the CD-ROM which was shipped with your IntraPort 2/2+ VPN Access Server. If your IntraPort 2/2+ is running software version 5.0 or later, then you must use CompatiView version 5.3 or later.

  • Page 18: Installation And Operation

    Installation and Operation The Windows version of the CompatiView program can be found in the Network Management/CompatiView/Windows directory on the CD-ROM that was included with your IntraPort 2/2+ VPN Access Server. Run the auto-installation program (CV5x file) by double-clicking on it.
  • Page 19 Chapter 4 - CompatiView Software Installation two most common IPX frame types upon startup (802.2 and 802.3 (raw)). If CompatiView has the IPX/SPX protocol selected as its trans- port, it will be necessary to either powerup the server before powering up the workstation, or reboot the workstation after the server has completed its boot sequence.

  • Page 21: Chapter 5 - Command Line Management

    9600, 8 bits, no parity, 1 stop bit and no Flow Con- trol. Connect it to the server’s Console interface using the cable which was supplied with the IntraPort 2/2+. Press the <Return> key one or two times. Enter the default password letmein at the password prompt. The command line interface prompt will appear on the screen.

  • Page 22: Temporarily Reconfiguring A Host For Command Line Management

    Setting Up Telnet Operation Telnet is a remote terminal communications protocol based on TCP/IP. With Telnet you can log into and manage the IntraPort 2/2+ from anywhere on your IP internetwork, including across the Internet if your security setup allows it.
  • Page 23 Chapter 5 - Command Line Management command line interface, do the following: A. Use the configure command and set the IPAddress, Sub- netMask, and IPBroadcast keywords in the IP Ethernet 0 section. B. Use the save command to save the changes to the device’s Flash ROM.

  • Page 25: Chapter 6 - Basic Configuration Guide

    VPN Client software Setup Options The IntraPort 2/2+ can be set up in two different ways. The recom- mended setup is to use both Ethernet ports so that it operates in parallel with your existing firewall or proxy server and serves as the IPSec component of your security system.

  • Page 26: Diagram Of Dual-Ethernet Setup

    Chapter 6 - Basic Configuration Guide Diagram of Dual-Ethernet Setup Figure 2. Diagram of Dual-Ethernet Setup...

  • Page 27: Diagram Of Single-Ethernet Setup

    Chapter 6 - Basic Configuration Guide Diagram of Single-Ethernet Setup Figure 3. Diagram of Single Ethernet Setup...

  • Page 28: Configuration Using Compatiview

    Note: Remember that in single Ethernet setups, Ethernet 1 must not be connected to anything or else it may cause difficult to diagnose problems on the IntraPort 2/2+ and on your network. 1. Turn off AppleTalk and IPX (optional).
  • Page 29 A. Click the IP Routing radio button. B. Enter the internal TCP/IP address you have assigned the IntraPort 2/2+. Verify that you have the IP Address, the Net- work IP Subnet Mask and the Network IP Broadcast Mask correctly entered. Incorrect information can cause difficult to diagnose problems or disable the IntraPort until the informa- tion is corrected.
  • Page 30 A. Click the IP On radio button. B. Enter the external TCP/IP address you have assigned the IntraPort 2/2+. This address must not be in the same TCP/IP network as Ethernet 0 or you will disable TCP/IP in the IntraPort 2/2+. Verify that you have the IP Address, the Net- work IP Subnet Mask and the Network IP Broadcast Mask correctly entered.
  • Page 31 For single Ethernet setups, enter the internal TCP/IP address of your upstream Internet access/firewalling router. In either case, this address must be on the same TCP/IP net- work as the Ethernet 0 address of the IntraPort 2/2+. Single Ethernet Static Route...
  • Page 32 Chapter 6 - Basic Configuration Guide Leave all other parameters at their default settings for basic configuration, or refer to the CompatiView Management Soft- ware Reference Guide for more advanced configuration set- tings. v Note: For single Ethernet setups, you must configure the firewall to allow: •UDP port 500 (ISAKMP) •Protocol number 51, which is the AH (Authentication...
  • Page 33 TCP/IP address of the upstream or Internet router for your network. This must be an address on the same TCP/IP network as the Ethernet 1 address of the IntraPort 2/2+. For single Ethernet setups, the IPSec Gateway is an optional setting.
  • Page 34 Chapter 6 - Basic Configuration Guide 6. Set an IKE Policy. There are two phases to the IKE negotiation. During Phase 1 negotia- tion, the IntraPort and Client must authenticate each other. The IKE Policy dialog box controls this Phase 1 negotiation. Phase 2 negotiation involves the setup of an individual tunnel connection and is controlled by the VPN Group Configuration, documented in Step 7.
  • Page 35 Chapter 6 - Basic Configuration Guide 7. Set up VPN Group Configurations. VPN Group Configuration: General Tab To access this dialog box, select VPN Group Configuration in the Device View. A. Click on the New... button. B. Enter a New VPN Group Config Name (e.g. Sales, Account- ing, etc.) in the pop-up box.
  • Page 36 Chapter 6 - Basic Configuration Guide without receiving any traffic from a client belonging to this VPN Group Configuration without ending the tunnel session. • Set the Minimum Client Version or keep the default value. This places a limit on the VPN Client Software ver- sion number which will be allowed to connect.
  • Page 37 Chapter 6 - Basic Configuration Guide IKE Configuration Transform List The default settings of MD5 for Authentication and DES for Encryption are adequate for most setups. Click OK. • In the IKE Key Management dialog box, you may click on the PFS checkbox to add additional security parameters during tunnel sessions.
  • Page 38 Chapter 6 - Basic Configuration Guide Dual Ethernet VPN Group Configuration: IP Connection Tab Single Ethernet VPN Group Configuration: IP Connection Tab On the IP Connection Tab: • Enter the Start IP Address. This specifies the first IP address to be assigned to client sessions under this config- uration.
  • Page 39 Chapter 6 - Basic Configuration Guide same network as Ethernet 0 or a subinterface thereof). Also, they cannot conflict with those used for any other VPN Groups. v Note: For large numbers of users (i.e., over 50), it’s recommended that the block of addresses be specified as a Local IP Net because address administration is easier.
  • Page 40 Chapter 6 - Basic Configuration Guide VPN Group Configuration: IPX Connection Tab H. If you will be tunneling IPX traffic, click the IPX Connection Tab. • Enter an IPX network number in the Start IPX Network edit box. This IPX network number is the first IPX address assigned to an incoming Client tunnel session.
  • Page 41 Chapter 6 - Basic Configuration Guide 8. Set up VPN Users. If you are using a RADIUS server for user authentication, you will need to set up VPN users on that server. If not, then you must enter each user into the VPN User database.
  • Page 42 B. From the File menu choose Save To > Device. This will bring up a download configuration dialog window. Choose the IntraPort 2/2+ if given the option. When asked if you are sure that you want to download the configuration and restart the device, click on the Yes button.

  • Page 43: C Onfiguring The S Erver For Lan- To -Lan T Unnels

    Chapter 6 - Basic Configuration Guide Configuring the Server for LAN-to-LAN Tunnels This section configures VPN tunnel parameters and defines a virtual port for LAN-to-LAN tunnel traffic. It assumes that you have already assigned IP addresses to the Ethernet interface(s), and set up static routes, as shown in VPN Client Tunnel v Note: VPN Ports are only used for LAN-to-LAN tunnels.
  • Page 44 Chapter 6 - Basic Configuration Guide C. If you are using both Ethernet ports, then the Bind To interface should be set to Ethernet 1. For single Ethernet setups, it should be Ethernet 0. This specifies which interface on this device will act as the end point for the tunnels defined by this configuration.
  • Page 45 Chapter 6 - Basic Configuration Guide will only initiate tunnel establishment attempts and will not respond to them. If Respond is selected, this Tunnel Partner will use IKE, but will only respond to tunnel establishment attempts and will not initiate them. B.
  • Page 46 B. From the File menu choose Save To > Device. This will bring up a download configuration dialog window. Choose the IntraPort 2/2+ if given the option. When asked if you are sure that you want to download the configuration and restart the device, click on the Yes button.

  • Page 47: Vpn Client Tunnel Settings

    Basic Configuration Using Command Line This section briefly discusses the major parameters that must be set in order to use the IntraPort 2/2+ VPN Access Server using command line management or text-based configuration, either out-of-band (through the server’s Console interface) or in-band through Telnet.
  • Page 48 [ IP Ethernet 0 ] # ipbroadcast=206.45.55.255 3. (Dual Ethernet) Set basic IP parameters for Ethernet 1. Enter the external TCP/IP address you have assigned the IntraPort 2/2+. This address must not be in the same TCP/IP network as Ethernet 0 or you will disable TCP/IP in the IntraPort 2/2+.
  • Page 49 TCP/IP address of your upstream Internet access/firewalling router. In either case, this address must be on the same TCP/IP network as the Ethernet 0 address of the IntraPort 2/2+. Use edit config to modify the IP Static section. Configuration lines in this section have the following format: <Destination><Mask><Gateway/Port><Metric>[<Redist=(RIP|none)>]...
  • Page 50 Internet router for your network. This must be an address on the same TCP/IP network as the Ethernet 1 address of the IntraPort 2/2+. For single Ethernet setups, the IPSec Gateway is an optional setting. It serves as a default gateway for all IPSec (i.e., tunneled) traffic.
  • Page 51 Chapter 6 - Basic Configuration Guide 7. Set up VPN Group Configurations. This is where tunneling profiles for a group of one or more IntraPort 2/2+ users are defined. Use configure VPN Group Name to create a VPN Group section and set the following keywords in the section you just created: BindTo-Specifies which interface on the device will act as the local end point for the tunnels defined by this configuration.
  • Page 52 Chapter 6 - Basic Configuration Guide Ethernet example, 192.168.233.0/24), all traffic from a client going to the internal network will be tunneled through the IntraPort 2/2+. This is the most common configuration. There can be multiple entries, including individual addresses (i.e. hosts).
  • Page 53 After the IntraPort has rebooted, users will be able to connect with VPN Client software. v Note: Do not turn the IntraPort 2/2+ off during the boot process or it will lose its operating software.

  • Page 54: Configuring The Server For Lan- To -Lan Tunnels

    Chapter 6 - Basic Configuration Guide Configuring the Server for LAN-to-LAN Tunnels This section configures VPN tunnel parameters and defines a virtual port for LAN-to-LAN tunnel traffic. It assumes that you have already assigned IP addresses to the Ethernet interface(s), and set up static routes, as shown in VPN Client Tunnel v Note: VPN Ports are only used for LAN-to-LAN tunnels.
  • Page 55 When asked if you are sure that you want to download the configuration and restart the device, reply yes. After the IntraPort has rebooted, LAN-to-LAN tunnels can be established. v Note: Do not turn the IntraPort 2/2+ off during the boot process or it will lose its operating software.

  • Page 56: Parameters

    Chapter 7 - Alternate Protocols and Security Parameters Chapter 7 - Alternate Protocols and Security Parameters This chapter briefly discusses the configuration of the IntraPort 2/2+ VPN Access Server for AppleTalk and IPX, and with RADIUS and SecurID authentication servers.

  • Page 57: Appletalk Protocol

    Chapter 7 - Alternate Protocols and Security Parameters AppleTalk Protocol Required for AppleTalk Generally, there are no required changes from the shipping Ethernet configuration for AppleTalk. The Ethernet interface will autoconfigure to use AppleTalk Phase 2, and will adapt to conditions on the Ethernet. Suggested for AppleTalk You may want to set your own network numbers, rather than using the autoconfigured values.

  • Page 58: Radius Server User Authentication Settings

    Chapter 7 - Alternate Protocols and Security Parameters RADIUS Server User Authentication Settings In order for client authentication and accounting to be done on a RADIUS server, the RADIUS server must be configured with four pieces of data for each user. •...

  • Page 59: Setting Up Secur Id Authentication

    Chapter 7 - Alternate Protocols and Security Parameters attribute settings will require that you enter users in the Users text file. See the user manual for your server for more information on exporting, editing and importing the Users text file. In addition to the RADIUS server settings, the user name, login pass- word and tunnel secret must match the settings for each user in the User Properties window of the VPN Client.

  • Page 60: Setting The Intraport For An Ace/Server

    Chapter 7 - Alternate Protocols and Security Parameters Setting the IntraPort for an ACE/Server Just a few basic settings are required for the IntraPort to communicate with an ACE/Server. • SecurID on • Encryption method • ACE/Server IP address • Enable SecurID for a group of IntraPort users CV: Use the SecurID Configuration Window (under Global/SecurID Configuration) to set up a server.

  • Page 61: Saving A Configuration File To Flash Rom

    Chapter 7 - Alternate Protocols and Security Parameters Saving a Configuration File to Flash ROM Once a configuration is complete, you can save it to the router’s Flash ROM. Until saved, all changes are made in a separate buffer and the server’s interfaces continue to run as before the changes were made.

  • Page 63: Appendix A - Shipping Defaults

    Appendix A - Shipping Defaults Appendix A - Shipping Defaults Ethernet Interfaces Default Password • letmein IP Defaults • Ethernet 0 is on • Address: 198.41.12.1 • Subnet mask: 255.255.255.0 • Broadcast address: 198.41.12.255 • Mode: Routed • Ethernet 1 is off IPX Defaults •...

  • Page 64: Appendix B - Connector And Cable Pin Outs

    Pin Outs for DB-25 Male to DB-25 Female RS-232 Data & Console Cable The cable supplied with the IntraPort 2/2+ VPN Access Server is 25 conductors connected straight through. Connections on the Console interface follow the standard RS-232 pin outs.

  • Page 65: Information

    Appendix C - Security Dynamics ACE/Server Information Appendix C - Security Dynamics ACE/Server Information ACE/Server software and SecurID tokens can be purchased directly from Security Dynamics Technologies, Inc. Use the following informa- tion to contact Security Dynamics for more information: Security Dynamics Technologies, Inc.

  • Page 67: Appendix D - Led Patterns And Test Switch Settings

    Activity: The Activity light indicates that there is activity across the link. Front Panel LEDs The IntraPort 2 and IntraPort 2+ VPN Access Servers use a number of light patterns on their front LED bars to indicate various operating conditions.

  • Page 68: Intraport 2+ Connections/Users Leds

    Appendix D - LED Patterns and Test Switch Settings IntraPort 2 Connections/Users LEDs Connections/Users LED IntraPort 2+ Connections/Users LEDs Connections/Users LED User Range 1 - 5 6 - 11 12 - 17 18 - 23 24 - 29 30 - 35...

  • Page 69: Intraport 2+ Special Indicators

    2&3 flashing 1&20, 80&100, 160&180 flashing 1,4&5 flashing 120&140(and Sys Rdy) flashing Scanning from the outside toward the center IntraPort 2/2+ VPN Access Server Switch Settings Normal Operation Unused* Unused* Run Boot ROM Downloader Unused* Erase Flash ROM (OS and Configuration)

  • Page 71: Systems

    Appendix E - Downloading Software From Compatible Systems The latest versions of operating software for all Compatible Systems products are available at our Web site. The latest version of CompatiView management software is also available. To download software, follow the instructions below.

  • Page 73: Appendix F - Terms And Conditions

    Compatible Systems. In the absence of such agreement, commence- ment of performance or delivery shall be for Customer’s convenience only and shall not be construed as an acceptance of Compatible Systems’ terms and conditions. If a contract is not earlier formed by mutual agreement in writing, Customer’s acceptance of any goods or services shall be deemed...
  • Page 74 Compatible Systems shall not be liable for any premium transportation or other costs or losses incurred by Customer as a result of Compatible Systems inability to deliver Product in accordance with Customer’s requested deliv- ery dates.
  • Page 75 WARRANTY, NEGLIGENCE, OR ANY OTHER CAUSE WHATSO- EVER, WHETHER OR NOT SIMILAR. This limitation on remedies shall apply even if Compatible Systems is advised of the possibility and nature of any special, consequential, or incidental damages. 7. Governing Law; Merger. This agreement and all Terms and Condi- tions hereof shall be governed by, and construed in accordance with the internal laws of the State of Colorado.

This manual is also suitable for:

Intraport 2+

Table of Contents